from the copyright-where-it-doesn't-belong dept

So, by now you've heard the story of how Wired reporter Andy Greenberg allowed two car hackers to hack into a car that he was driving, remotely, while he was on a highway. The story is getting plenty of well-deserved attention, with some people raising a variety of concerns. The most obvious concern is the "holy hell, that seems scary, we should improve car security." And that's true. A second level of concern is over whether or not that experiment on a real highway was appropriate, given the very real potential of danger (including the truck that almost hit Greenberg). A third concern is over the reality of the threat, given that Greenberg was driving a car owned by the hackers, that they had the ability to touch previously (i.e. the "remote" part of the hack sounds scary, but it's less scary if hackers have to get into your car first).

However, the part that I wanted to focus on is related to a discussion we were just having a few weeks ago, in which General Motors (which was not the target of this particular hack) claimed that any sort of tinkering with their software, such as to discover these kinds of security holes, should be considered copyright infringement, thanks to Section 1201 of the DMCA. Section 1201, also known as the anti-circumvention provision, says circumventing "technological protection measures" (TPMs) -- even for reasons that have nothing to do with copyright -- should be deemed copyright infringement and subject to all the statutory damages (up to $150k per violation!) that copyright allows. Some have been pushing for an exemption for things like security researchers tinkering with new connected car systems to make sure they're safe. And GM and other automakers have said "no way." GM's argument is, more or less, that the company would prefer to put its head in the sand, and not have security researchers help it discover security flaws in its systems -- leaving only malicious attackers to find those.

While proponents
such as Electronic Frontier Foundation characterize the exemption as merely allowing the
vehicle owners to “tinker” with their vehicles “in a decades-old tradition of mechanical curiosity
and self-reliance,” if granted, the proposed exemption could introduce safety and security issues
as well as facilitate violation of various laws designed specifically to regulate the modern car,
including emissions, fuel economy, and vehicle safety regulations.

Of course, copyright is not the right law to be relying on if you think that tinkering with your software could lead to safety problems. Instead, it seems to be the law that automakers are relying on to try to hide some of the security vulnerabilities in their cars.

The Association of Global Automakers goes even further with its argument, basically saying that since they already let security researchers of their own choosing do research, no one else should be able to do that research also:

Automobile manufacturers are not adverse to external input and have a long and symbiotic
history with aftermarket businesses and others, but are justifiably unwilling to risk public safety,
security, and environmental wellness by compromising quality controls and oversight. Moreover,
the exemption is unnecessary given that automobile manufacturers already provide access to
their valuable copyrighted materials for the precise purposes proposed. By allowing every
automobile owner to access and copy automotive software in the name of research, the proposed
exemption undermines existing research efforts and, ultimately, wrests control of such research
from those in the best position to actually improve the security and safety of our automobiles: the
automobile manufacturers and their suppliers, who have the utmost responsibility to ensure that
vehicles are safe and secure. The very real risk that ostensibly legitimate research unwittingly
undermines vehicle security by serving as a guidebook to software vulnerabilities that enables or
even accelerates illicit hacking and malicious modifications to automotive software weighs
heavily against the proposed exemption. The balance of benefit versus detriment, in view of all
factors involved, simply dictates against the proposed exemption.

In short, since security researchers might find a really serious hole in our software that might put lives in danger, we're much better off using copyright law to make sure no one's even looking for such a hole. Are they serious? Wouldn't it be much better to give people incentives to find these kinds of security flaws so the automakers can fix them rather than relying on security-by-head-in-the-sand?

Finally, the Alliance of Automobile Manufacturers also opposed the exemption for some fairly bizarre reasons, claiming that it would magically free up researchers to disclose how a vulnerability works without first informing the manufacturer:

By arguing that the current legal landscape is too treacherous for independent researchers, proponents are in effect seeking to be freed from existing statutory constraints that are biased in favor of prudent and responsible practices – such as managing disclosure of security vulnerabilities to minimize the risk of legal violations and exploitation of those vulnerabilities by bad actors – to protect the safety and security of members of the public. For instance, under the proposed exemption, researchers who publish detailed analyses of vulnerabilities before sharing their findings with manufacturers would nonetheless benefit from a blanket exemption to circumvention liability, even though such premature publication could dramatically increase the risk of such harmful exploitations.

This is bullshit. There is nothing in removing the liability for circumvention that changes industry best practices of first alerting the manufacturer. That would still be standard practice. What it would do, however, is stop those manufacturers from responding by threatening a ridiculous copyright infringement lawsuit instead of realizing they need to fix a real problem in their systems. And if the automakers don't think such threats happen, we've got plenty of examples to send their way.

If the automakers are serious about wanting to make sure their cars on the road are safe, they should be encouraging this kind of research (though perhaps not on actual highways... ). But the fact that copyright law is blocking some of this kind of research is a real travesty.

from the nummi dept

As some of you know, I have an undergraduate degree in industrial and labor relations -- which I got in the mid-90s. One of the things I remember clearly was that the big concerns at the time were over competition not from India or China -- which is what you hear about today -- but competition from Germany and Japan. I had multiple classes where we looked at how organizations and businesses worked in the US compared to Japan and Germany, with questions being asked about what methods made the most sense. A key case study was the case of NUMMI -- the New United Motor Manufacturing Inc. I remember having to do case studies on NUMMI in three separate classes.

The Classic NUMMI Story

The simple story: GM had an auto plant in Fremont California that was the worst of the worst in terms of quality and productivity. The cars coming out of the factory were dreadful, and management and labor were constantly fighting -- even more than elsewhere, in an industry where labor and management have never been close. Eventually, in the early 80s, GM shut down the plant, but later worked out a deal with Toyota, to reopen the plant, under joint ownership -- with Toyota effectively running the plant. Both car companies could get something out of this. Toyota could start building cars in the US -- which was important as the US was threatening very high tariffs on imported Japanese cars, and GM would learn about how Toyota was able to build cars of much higher quality than GM. Amazingly (and against the wishes of both companies initially), the same awful workers who had worked at the plant previously were rehired.

But, then something amazing happened. Under the Toyota process, the plant flourished. The relationship between labor and management was no longer antagonistic, and the plant became much more productive, and quality shot sky high. It was a success story in almost every way. Through the late 80s and 90s, NUMMI was seen as the key to reviving American manufacturing (especially in the auto industry).

The New NUMMI Story

Today, on April 1st, 2010, NUMMI is shutting down for good. Last weekend's This American Life had an hour long episode all about what happened to NUMMI -- from the original, horrible old plant, to the revitalization, and then up through now as it's closing. The episode explains the second half of the story. If NUMMI was so miraculous, why is it now shutting down? Why is GM bankrupt? Hell, why is Toyota now recalling millions of cars over serious quality questions. What the hell happened?

Ideas Are Easy, Execution Is Hard

It really is a fascinating story all around -- but the key to me is that it highlights the vast difference between ideas and execution. We've said it before: lots of people have good ideas, but it's much, much more difficult to execute on a good idea. However, as a society, we tend to assume that the execution is easy, but the ideas are hard -- getting the equation backwards. NUMMI was a success -- for both GM and Toyota, but GM got the wrong lessons out of it.

Initially, it really just took the superficial parts of what worked at NUMMI in trying to expand that kind of production elsewhere. GM ignored the nuts and bolts of how to really execute on the teamwork process and how to focus on continual improvement. In one case, a GM manager even told someone to go to NUMMI and photograph every square inch, so that it could be recreated in a different plant, without bothering to care about how the rest of it worked. This is just the "idea." It's the window dressing. It's what people see that's pretty and clean, but not what's really going on behind the scenes.

How NUMMI Became A Cargo Cult

In fact, it sounds like the folks at Toyota knew this all along. While many were surprised that Toyota would "give up its secrets" to GM, someone on the program points out that the GM folks asked all the wrong questions. They were focused on the shiny front-end stuff, and not the dirty back-end of how it all really worked. As, we've pointed out before, it's like the infamous cargo cults that think if they just copy what they see of something, they'll get the same results, totally missing the fact that the execution involves a lot more than you can see.

Following that, GM kept trying and failing (miserably) to replicate the success of NUMMI elsewhere -- but as the report points out, it effectively took two decades, often involving numerous execs who had to spend years at NUMMI before moving elsewhere, before GM finally realized that what worked at NUMMI involved a lot more than just teamwork and a cable that allowed anyone to stop the line. It was more than a cargo cult. It was more than the idea. It involved a lot of careful, detailed execution. But, of course, by then it was too late. GM's reputation for making crappy cars was well established. Add in a healthy dose of paralyzing union agreements and whack the whole thing around with a freefall economy, and you have a bankrupt car company, now mostly owned by the US government.

Oh, and as for Toyota's more recent problems? It seems that it may have learned some of GM's bad lessons in return. It started focusing on rapid growth over quality in an attempt to bulk up and compete -- and now it may be facing some of the same problems that GM faced.

It's The Execution, Stupid...

In the end, though, it really is a fascinating case study. The original case studies from back in the 90's of what worked at NUMMI only told half of the story. The closing of NUMMI today highlights the other half: ideas are easy. Executing is hard. Pretending it's the other way around can get you into an awful lot of trouble.